Android Botnet Uses Twitter for Receiving Commands

A newly discovered Android backdoor is using an innovative method of receiving commands: it connects to a Twitter account instead of a command and control (C&C) server, ESET researchers say.

Dubbed Android/Twitoor, the malware was designed to download other malicious applications onto the infected devices and has been active for around a month, researchers say. Fortunately, the threat isn’t spreading through official Android storefronts, but through SMS or malicious URLs sent to its victims.

According to ESET researchers, the backdoor is impersonating a porn player application or MMS program, but it does not present the functionality such software would normally have. After being launched, the malware hides its presence on the infected device and starts checking a defined Twitter account at regular intervals for commands.

Depending on the commands it receives, the backdoor can either download malicious applications onto the compromised device or can switch to a different C&C Twitter account, researchers discovered.

ESET explains that malware that turns devices into botnets requires communication with a C&C server to receive updated instructions, and that this communication could raise suspicion from users. Moreover, they explain that, when these servers are seized, they tend to disclose information about the entire botnet.

To ensure that Twitoor botnet’s communication is more resilient, the malware authors decided to encrypt the transmitted messages. They also used complex topologies of the C&C network and new communication methods, such as social networks.

“These communication channels are hard to discover and even harder to block entirely. On the other hand, it’s extremely easy for the crooks to re-direct communications to another freshly created account,” explains Štefanko.

The researcher also explains that Twitoor is the first Twitter-based bot malware for Android, although other bots have been found to use non-traditional means as blogs or cloud messaging systems for control. However, Twitter has been used to control botnets for Windows before, as early as in 2009, Štefanko also says. In 2012, attackers programmed the Flashback Trojan targeting Macs to use Twitter as a command and control mechanism.

Other social networks, including Facebook and LinkedIn, are also expected to be leveraged for similar nefarious purposes. At the moment, Twitoor has been used to download mobile banking malware onto the infected devices, but it might not be long before its operators switch to other types of malware, such as ransomware, ESET’s researcher notes.

To stay protected, users should be cautious when opening URLs they receive from untrusted sources. They should also make sure their device’s operating system and applications, including a security software, are kept updated at all times.